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Overview 


Background - Understand the HIPAA Privacy 
Regulations 


Meaning of Protected Health Information 
Permitted Uses and Disclosures 


Patients Rights 


Care Provisions under Bioshield Act of 2004 
— Disclosures without regard to privacy rule 
Case Scenarios 
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“Why Worry About Privacy” 


An average of 150 people, from 
nursing staff to x-ray technologists 
to billing clerks, have access to a 

patient’s medical records during the 
course of a typical hospitalization 


Source: The American Health 
Information Management Association 
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What is HIPAA’? 


e Health Insurance Portability and Accountability Act 
of 1996 (HIPAA) 


— Portability of health insurance 


¢ Administrative Simplification 
Electronic Transactions, Identifiers & Code Sets 


¢ October 16, 2003 
— Privacy Protection 


HEA 


¢ April 14, 2003 eEanon 


WORKSHOP 


— Security 
¢ April 21, 2005 
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The Administrative Simplifications Apply to the Following 
Covered Entities: 


1. Health care clearing houses 
2. Health Plans 


3. Health care providers that meet HIPAA definition and conduct 
certain transactions in electronic format or use a billing service 
on their behalf 
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THE HITECH ACT 
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The HITECH Act 


In 2009, President Obama 
signed the Health Information 
Technology for Economic and 
Clinical Health Act (“HITECH") 
into law 


What is the purpose of the 
HITECH Act? 

To promote widespread 
adoption and standardization 
of health information 
technology throughout the 
United States 


Waiting on final HITECH rules 
as of now, close to publishing 


HITECH Privacy & Security 


Strengthens privacy and 
security protections for health 
information 


Changes to HIPAA Privacy, 
Security, and Enforcement Rules 


— Stricter regulations 


— Bigger penalties 
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Business Associates 


HIPAA rules now apply to business 
associates too 


Business associates now subject to 
same privacy and security rules 
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HIPAA Privacy Rule and Its Impact 


¢ First comprehensive federal protection of medical information 
— Preemption State laws that provide stronger privacy protections 


Administrative requirements for covered entities 
Regulates use and disclosure of patient information 
Everyone is accountable for protecting patient privacy 
Establishes appropriate safeguards to protect privacy 
Accountability and Penalties 
Public Responsibility 


Patient Rights 
Control over health information 
Informed choices 


“Somehow your medical records got 
faxed to a complete stranger. He has 
no idea what’s wrong with you either.” 


Control of Internal Use and External Disclosures 


Privacy 
Security 


Use 
— Internal, how PHI is handled by us 


Disclosure 
— External, how PHI Is released 
Minimum necessary 


— Exception: PHI is shared among 
health care providers for treatment 
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_ What is Protected Health Information (PHI)? 


¢ ALL IDENTIFIABLE HEALTH INFORMATION ABOUT A 
PATIENT 


¢ Relates to the past, present, or future health of the individual; or past, 
present or future payment for the provision of health care 
e Any information that may be used to identify: 
— a patient 
— a patient's health 
— healthcare services a patient receives 


¢ Health care provider may create or receive a patient’s PHI from 
another provider 
¢ PHI can be in any form: 
— Verbal 


— Written paper records 
— Electronic data 


r 
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PHI Must Identify an Individual 
Contains any of the following 18 Identifiers 


¥ Names Certificate/ License numbers 
¥ Addresses Vehicle identifiers 

¥ Email Device identifiers and serial 
¥ Telephone or Fax numbers numbers 

¥ Social security numbers Web Universal Resource 

¥ Dates related to patient - birth Eocaols 

¥ Medical record numbers 
¥ Account numbers 


Internet Protocol (IP) 


Biometric identifiers, 

a including finger and voice 

¥ Photographic images prints 

¥ Account numbers Any other unique identifying 

¥ Health plan beneficiary number, characteristic, or 
numbers code 
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_ What forms does PHI take? a 


(Written, Verbal, Visual...) 


Paper copies 

Patient files “4 
Electronic records 

Telephone calls, e-mail, and voice mail 
Verbal communications 

Fax transmissions 

Internet or Intranet transmissions 
Radio communications 

Cameras and voice recorders 


Cellphones and PDAs 
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Yougits moh 
flickr 
() WorvPress 


Google buzz ® 


Cwitter 


foursquare 


Social Media: 


Internet Social Networking Sites 
Blogs and Wikis 


Other Online Forums where people create and share 
information 
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Key Requirements and Patient Rights 


HIPAA REQUIREMENTS 


Notice of Privacy Practices 


Acknowledgment receipt signed, 
dated, recorded 


Privacy Policies 


Workforce Training 


Complaint Process 


Business Associates 


Administrative, Physical and 
Technical Safeguards to protect PHI 


Public Responsibilities 


Right to Access 
Copy of records 
[42 CFR 263 (a)] 


Amendments [45 crr 164.526] 


Written Acknowledgement (45 crr 164.520] 


Accounting of Disclosures [45 cFr 164.528] 


Use or Disclosure Restrictions 
[45 CFR 164.512] 


Confidential communications at 
alternative location or by 
alternative means (Address) 


Facility Directory 


NHIP — Notice of Health Information Practices 


Notice of Health 
Information Practices 
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Permitted Uses and Disclosures 


¢ Disclosures to the individual 
¢ Treatment, Payment, Health Care Operations 


¢ Acknowledgement of Notice of Privacy Practices 


If individual informed in advance/opportunity to object 


Facility Directory (name, location, general condition) 


Disclosure to family and care givers involved in current 
health care — use professional judgment 


¢ Business associate agreement 
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Use and Disclosure with no permission 


¢ Required by law * Employer 
Te ¢ Judicial proceedings 
¢ Public health activities 5 7 
Public Health R ; ¢ Law Enforcement 
7 ub ic Health Reporting — To identify and locate 
— Child abuse, neglect — Mico cime 
¢ Food and Drug Administration +  Coroner/Medical Examiner 
¢ Victims of Domestic Violence * Organ Donation 
e Research Purposes 
¢ Communicable Disease 


¢ Health Oversight 


Exception: 
Patient permission or “authorization” is needed to use or share PHI for certain marketing and 
fund-raising activities 
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HIPAA and National Emergency 


Bioshield Act (2004) 


Provisions that may be waived 
— Opt out of facility directory 


— Notice of Health Information Practices 
— Restriction request 


— Request for confidential communication 
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HIPAA During Emergency - Activation and Waiver 
Applies if: 


¢ President declares an emergency or disaster and 

¢ Secretary of DHHS declares a public health emergency 

¢ Secretary waives sanctions and penalties against a covered hospital that 
does not comply with certain provisions of the HIPAA Privacy Rule 

¢ Hospital in the emergency area 

¢ Within the emergency period identified in the public health emergency 
declaration 

¢ Hospitals instituted a disaster protocol 

¢ Up to 72 hours from time hospital implements disaster protocol 
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HIPAA During A Declared Emergency 


Patient right to notice of privacy Requirement to distribute a notice of 
practices privacy practices 

By first delivery of service 

Written acknowledgement 

[45 CFR 164.520] 

Obtain patient’s permission to Requirements to obtain a patient's 
speak to family members agreement to speak with family 
friends members or friends involved in the 
[45 CFR 164.510(b)] patient’s care 


Honor request to opt out of Requirement to honor a request to 
facility directory. opt out of the facility directory 
[45 CFR 164.510(a)] 
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HIPAA During A Declared Emergency 


Restriction request Patient's right to request privacy 
Ask for limits on how their PHI |restrictions 

is used or shared 

[45 CFR 164.522(a)] 


Request for confidential Patient's right to request 
communication confidential communications 
Patients may ask that they be 

contacted such as at work and 

not at home 

[45 CFR 164.522(b)] 
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How Does HIPAA Impact Me? 


Non-Emergency 
-Role-based Access 
«Overheard conversations 
eOverseen patient treatment 
eOverseen medical records 


eInappropriate requests to transmit PHI over 
the radio 
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Respecting Patient Privacy Online 


Avoid ALL references to patients 
(even “anonymous’ ones) when online 


While it may seem OK to talk 
about an interesting case online 
if you're not mentioning the 
patient by name, you could be 
facing a HIPAA violation if there 
are enough details in the post for 
patients to be recognized 


What a day! I 
worked with 
the bravest 
litele boy 
today who is 
recovering 

PSO Mies fans 
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Preventing Privacy Incidents - 
Be a Good Steward 


DO dispose of all paper documents DO NOT put these 


containing PHI in locked, documents in the trash 
confidential shredding bins or in the general paper 


recycling bins 


Orders 


Patient Labels Rag, 
ae 


[\ 
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Willful Neglect and Malicious Intent 


¢ What does “willful neglect” mean? 
— A finding of willful neglect means there was a conscious, intentional 


failure — or reckless indifference to the obligation — to comply with the 
HIPAA provision which was violated 


¢ DHHS investigates all violations due to willful neglect and imposes 
civil penalties for these HIPAA violations 


An Example of Willful Neglect... 


The leaders of Imagine Airy Clinic know 
the rules about safeguarding PHI, but 
confidential shredding bins are big and bulky. 


They decide to instruct staff to put all waste 
paper (even if it contains PHI) in regular 
recycle bins and hope for the best. 


Malicious Intent? 


Inappropriate use or disclosure 
of PHI for personal use or gain 
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HITECH Civil Money & Criminal Penalties 


The HITECH Act’s tiered civil penalties for HIPAA violations: 


Type of Violation Penalty for Each Maximum per Year Penalties 
yP Violation for Identical Violations 
Did Not Know $100 - $50,000 $1,500,000 
Reasonable Cause $1,000 - $50,000 $1,500,000 


Willful Neglect — $10,000 - $50,000 $1,500,000 
Corrected in 30 Days 


Willful Neglect — $50,000 $1,500,000 
Not Corrected 


HITECH criminal penalties: 


Penalty 
Knowing Violations |Up to $50,000 in fines and 1 year in prison 


False Pretenses Up to $100,000 in fines with 5 years in prison 
Intent to Sell $250,000 and 10 years in prison 
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“The Rule of Disclosure” 


What to do when unsure about giving out PHI 


¢ Report to Manager / Supervisor 
— Use your chain of command or other responsible person 


¢ Always ask the patient first 


¢ If unable to respond, do what is in the best interest, 
use professional judgment 


¢ Disclose only information that is directly relevant to 
the person's involvement with the patient's health care 
¢ Always use the Minimum Necessary standard 


¢ Do not use or disclose information without the 
patient's authorization 
— Except for TPO or Declared Emergency 
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HIPAA Quiz 


Question 1 What is the meaning of the acronym 
HIPAA? 


Question 2 True or False? 
Health care workers are allowed to take any PHI 
outside of the clinical setting. 


Question 3 True or False? 


People who don't work with patient records are not 
responsible for maintaining the confidentiality of 
protected health information (PHI). 
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HIPAA Quiz 


Question 4 Appropriate or Inappropriate 

During your assignment you came across a 
college classmate who had been admitted to the 
hospital. You learnt during your duties about the a 
diagnosis and the reason for admission. Upon 
arriving home you post on facebook telling her friends 
to sign a card. 


Question 5 The President has issued a state of 
emergency, the Secretary has declared one as well 
and hospital has disaster protocol in place and you 
have access to a patient's PHI, how do you know if 
you can share information with the spouse? 
1. Ask the patient first 
2. Verify the authority of the individual 
3. Information may be provided 
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HIPAA Quiz 


e Questions 6 True or False? 


HIPAA regulations apply only to healthcare 
records that are stored electronically (on 
computers). 


¢ Questions 7 True or False? 
HIPAA Privacy Rule is suspended during a 
national or public health emergency. 
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Need More Info? 
¢ RESOURCES 


— DHHS Emergency Preparedness Planning 
and Response 
http://www.hhs.gov/ocr/privacy/hipaa/ 
understanding/special/emergency/index.html 
— Disclosing PHI in Emergency Situations 
http://www.hhs.gov/ocr/privacy/hipaa/ Bs 
understanding/special/emergency/ i — roca in Rap 
katrinanhipaa.pdf 
— HIPAA Privacy Rule: Disclosures for [<= mela ss 
Emergency Preparedness — Decision Tool (_Mentiy There 
http://www.hhs.gov/ocr/privacy/hipaa/ 
understanding/special/emergency/ 
emergencyprepdisclose.pdf 
— HIPAA Privacy Rule 
http://www.hhs.gov/ocr/privacy/hipaa/ 
administrative/privacyrule/privrulepd.pdf 


¢ a 
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Questions? 


“See no PHI; Hear no PHI; Speak no PHI” 
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Contact Information 


Theresa Bervell, MHA, RHIA, CHPC 
Privacy Program Manager 
Swedish Medical Center Privacy Office 
Corporate Compliance Department 
747 Broadway, Seattle, WA 98122 
Office: 206 386-6985] Cell: 206 734-7499] 
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